In the current global economy, many companies have operations and assets in far-flung corners of the world. These geographically dispersed arrangements have a number of implications for the concerned companies. According to a recent decision from the Delaware Court of Chancery, the arrangements may also have important implications of these companies’ outside directors, at least for those companies organized under Delaware law. These implications could include heightened responsibilities and even heightened liability exposures that may come as a surprise to some outside directors.

 

These issues arose at a February 6, 2013 Delaware Court of Chancery hearing before Chancellor Leo E. Strine, Jr. in a shareholders’ derivative lawsuit involving Puda Coal, a Delaware corporation with significant operations in China. As a clear from the hearing transcript (a copy of which can be found here, Hat Tip to the Delaware Corporate & Commercial Litigation Blog) the parties at the hearing conceded that one of the Chinese members of the board –and at the time of the hearing, the sole remaining board director – had, in the words of Chancellor Strine “stolen” significant assets from the company, and that the “theft” had gone undetected for an extended period of time. (Further background regarding these events can be found here.) After the misappropriation of corporate assets was discovered (apparently by an online analyst) and after the two outside company directors who were represented at the hearing were unable to get answers to their questions, the two individual directors had resigned.

 

The shareholders’ derivative suit had been filed before the two individuals had resigned. The two individuals moved to dismiss the suit, arguing that the plaintiffs had failed to make the requisite demand on the company’s board, and also arguing that the plaintiffs had failed to state a claim on which relief could be granted.

 

Chancellor Strine largely denied the defendants’ motions, granting the motion (with leave to amend) solely with respect to the plaintiffs’ unjust enrichment claims. Chancellor Strine was particularly contemptuous of the defendants’ demand failure arguments, given that upon uncovering the problems at the company, the individuals did not take up the suit against the wrongdoer, but rather quit, which had the effect of leaving the alleged wrongdoer as the sole remaining director.

 

In rejecting the defendants’ motion in this regard, Chancellor Strine called the defendants’ arguments “astonishing” particularly since the if the motion were to be granted “control of the entire lawsuit” belongs to the remaining director’s determination. Among other things, Chancellor Strine invoked Kafka to characterize the result that the individual defendants sought in their demand failure argument.

 

The far more significant portion of Chancellor Strine’s discussion of the defendants’ dismissal motion has to do with his rejection of the defendants’ arguments that the plaintiffs had failed to state a claim. In rejecting the defendants’ arguments, Chancellor Strine articulated a vision of responsibility for independent directors of companies with overseas operations or assets that I think might come as a shock to many outside directors; he said that

 

If you’re going to have a company domiciled for purposes of its relations with investors in Delaware and the assets and operations of the company are situated in China that, in order for you to meet your obligation of good faith, you better have your physical body in China an awful lot.  You better have in place a system of controls   to make sure that you know that you actually own the assets. You better have the language skills to navigate the environment in which the company is operating. You better have retained accountants and lawyers who are fit to the task of maintaining a system of controls over a public company

This is a very troubling case in terms that, the use of a Delaware entity in something along these lines. Independent directors who step into these situations involving essentially the fiduciary oversight of assets in other parts of the world have a duty not to be dummy directors. I’m not mixing up care in the sense of negligence with loyalty here, in the sense of our duty of loyalty. I’m talking about the loyalty issue of understanding that if assets are in Russia, if they’re in Nigeria, if they’re in the Middle East, if they’re in China, that you’re not going to be able to sit in your home in the U.S. and do a conference call four times a year and discharge your duty of loyalty. That won’t cut it.

If it’s a situation where, frankly, all the flow of information is in the language that I don’t understand, in a culture where there’s, frankly, not legal strictures or structures or ethical mores yet that may be advanced to the level where I’m comfortable? It would be very difficult if I didn’t know the language, the tools. You better be careful there. You have a duty to think.

 

Chancellor’s comments appear in a hearing transcript and not in written order, but as Francis Pileggi notes in a February 19, 2013 post on his Delaware Corporate and Commercial Litigation Blog about the ruling in the Puda Coal case (here), in Delaware courts, transcript rulings can be cited in the briefs.

 

As Tariq Mundiya of the Willkie Farr law firm noted in a February 23, 2013 post about the case on the Harvard Law School Forum on Corporate Governance and Financial Regulation (here), Chancellor Strine’s ruling “highlights the risks and challenges that may exist for directors of Delaware corporations with significant foreign assets or operations.”

 

Chancellor Strine articulates a very broad vision of independent directors’ oversight responsibilities for Delaware companies’ foreign operations or assets. The expectation that independent directors physically visit and inspect the foreign operations and also speak the local language in the foreign locations may come as something of a shock to many outside directors. These days many companies have operations in multiple companies; larger companies have operations around the world. Chancellor Strine’s expectation that outside directors must be both regularly physically present and culturally literate in the each of the locations of the company’s overseas operations may represent a vision of board responsibility that likely would exceed the expectations of many company directors.

 

As if that were not enough, Chancellor Strine also had words about the independent directors’ decisions to resign. As he said, “there are some circumstances in which running away does not immunize you. In fact it involves a breach of fiduciary duty.” He added that “if these directors are going to eventually testify that tat the time that they quit they believed that the chief executive officer of the company had stolen assets out from under the company, and they did not cause the company to sue or do anything, but they simply quit, I’m not sure that that’s a decision that itself is not a breach of fiduciary duty. And that’s another reason for sustaining the complaint.”

 

To be sure, this case involved admittedly extreme circumstances. And arguably Strine’s comments could be limited to cases in which a company’s assets or operations are exclusively concentrated in a single foreign country. But the sweeping vision of independent directors’ oversight responsibilities for their companies’ overseas operations — premised as it is on the presumption that it is the job of the directors to try to prevent what happened here – arguably could require a complete overhaul of the way that the boards of global companies think about their directors’ responsibilities. At a minimum, the requirements for a regular physical presence and a cultural literacy in the locations where a Delaware company has operations or assets may far exceed the expectations of many independent board members. If Strine’s vision of board oversight responsibilities were to become established and come to represent the Delaware standard, it could require a substantial revision of the way that many Delaware boards and directors think about their board responsibilities.  

 

At a minium, I expect that Chancellor Strine’s comments will launch a discussion on the question of directors’ roles in overseeing a company’s far-flung operations. The hot topic for directors used to be financial literacy. Perhaps the question will soon become language fluency and cultural literacy.

 

The improving trend that the banking industry has shown for the last three years accelerated in 2012, according the FDIC’s Quarterly Banking Profile for the final quarter of 2012, which was released on February 26, 2013. Overall, the industry reported 2012 earnings of $141.3 billion, which represents a 19.3 percent improvement over 2011 and the second-highest annual earnings ever reported for the industry (behind only the $153.billion earned in 2006, before the credit crisis emerged.). The FDIC”s latest Quarterly Banking Profile can be found here.

 

The agency’s February 26, 2013 press release about the report (here) quotes FDIC Chairman Martin Gruenberg as saying that “the improving trend that began more than three years ago gained further ground in the fourth quarter,” and that “balances of troubled loans declined, earnings rose from a year ago, and more institutions of all sizes showed improvement.

 

Sixty percent of all institutions reported improvements in their quarterly net income from a year ago. Asset quality indicators continued to improve as insured banks and thrifts charged off $18.6 billion in uncollectable loans during the quarter, down $7.0 billion (27.4 percent) from a year earlier.

 

In another positive sign, the number of failed institutions is also declining. Eight institutions failed in the fourth quarter of 2012, which is the lowest quarterly total since 2008, when two institutions failed. (So far during the first quarter of 2013, three banks have failed.) For all of 2012, there were a total of 51 bank failures, down from 92 in 2011 and 157 in 2010. The 2012 total of 51 bank failures represents the lowest annual number of bank failures since 2008, when 25 banks failed.

 

One thing that is clear is that the U.S. banking industry has been through a massive winnowing effect over the last several years. The FDIC’s quarterly reports shows that as of the end of 2012, there were only 7,083 reporting financial institutions, by comparison to the 8.534 reporting institutions at the end of the 2007. The 1,451 decline in the number of reporting institutions during that period represents a decline of 17%. The number of reporting institutions has declined steadily during that intervening five year period. Indeed, the number of reporting institutions decline from 7,357 at the end of 2011 to the 2012 year end number of 7,083, a decline of 274 institutions (3.72%).

 

During the fourth quarter 2012, the number of reporting institutions declined by 98 banks (1.31%), from 7,181 at the end of the third quarter of 2012 to the year end number of 7,083. The FDIC’s report states that most of this decline (88 out of 98 institutions) was attributable to the merger of institutions into other banks. The remainder is due to failures and closures. The unstated inference seems to be that the industry is improving as the weaker banks are merged out of existence.

 

Not all of the news in the FDIC’s quarterly report is positive. Among other things, the report notes that for the sixth quarter in a row, no new reporting institutions were added. The year 2012 is the first in FDIC history in which no new reporting institutions were added, and the second year in a row with no new start-up charters (the three new reporting institutions added in 2011 were all charters created to absorb failed banks).

 

And though the overall banking industry continues to improve, the number of “problem institutions” remains stubbornly high. (A “problem institution” is an insured depositary institution that is ranked either a “4” or a “5” on the agency’s 1-to-5 scale of risk and supervisory concern. The agency does not release the names of the banks on its “problem” list.) Though the number of institutions on the FDIC’s problem list declined for the seventh consecutive quarter in the fourth quarter of 2012, from 694 to 651 representing a decline of 6.2% in the number of problem institutions), the number of problem institutions remains high relative to the number of reporting institutions, which, as noted above, is also declining.

 

The 651 problem institutions at the end of 2012 represent a significant drop in the number of problem institutions from the end of 2011, when there were 813 problem institutions, and from the end of 2010, when there were 884 problem institutions. The 162 drop in the number of problem institutions between the end of 2011 and 2012 – a decline of nearly 20% in the number of problem institutions – represents a substantial drop in one year.

 

But the number of problem institutions as a percentage of reporting institutions remains stubbornly high. This is in part due to the fact that as the number of problem institutions declines, the number of reporting institutions is also declining. The 651 problem institutions as of the end of 2012 still represent 9.19% of all reporting institutions. Though this is down from the equivalent percentage as of the end of 2011 (when it was 11.01%), the 2012 year end percentage of problem institutions means that as of year end, nearly one out of every ten reporting institutions is a problem institution. By way of contrast, as of the end of 2007, the FDIC ranked only 76 institutions as problem institutions. Though subsequent events suggest that the 2007 year end number was artificially low, the 2007 number does show what the percentage of problem looks like when the industry is not under stress.

 

Though the industry as a whole remains on the road to recovery, the problems from the credit crisis continue to haunt the industry and the number of problem institutions persists at an elevated level.

 

As the numbers of failed banks have decline, the number of failed bank lawsuits has continued to grow, as I detailed in a recent post (here).

 

By the time you read this blog post, you undoubtedly will have seen one of the stories in the mainstream media reporting on the February 25, 2013 decision of Southern District Court Jed Rakoff ordering former Goldman Sachs director Rajat Gupta to repay most of the legal fees the company incurred in connection with the government’s investigation and prosecution of Gupta. In case you didn’t see the stories, you can find them, for example, here and here.

 

There are a number of interesting things about Judge Rakoff’s order, many of which garnered little attention in the mainstream media reports.

 

By way of background, readers may want to recall that Gupta was convicted in June 2012 of leaking boardroom secrets to Raj Rajaratnam, who relied on the leaked non-public information in making highly profitable securities trades. Gupta was sentenced in October 2012. Gupta is appealing his conviction.

 

Judge Rakoff did not enter the order ordering Gupta to repay Goldman in a separate proceeding. Rather, Judge Rakoff entered the order in connection with the criminal proceeding against Gupta, and in particular as part of his (Rakoff’s) deferred determination of restitution in connection with Gupta’s sentencing. Goldman had specially appeared in Gupta’s criminal case to seek restitution of the $6.9 million in fees it paid to the Sullivan & Cromwell law firm in connection with the criminal case and related matters. (Goldman later withdrew a request for restitution of Gupta’s salary and for restitution of legal fees incurred in connection with a Section 16(b) short-swing profits proceeding against Gupta, which would explain why the amount Rakoff awarded was below the restitution amount Goldman had originally requested.)

 

Goldman sought restitution under the Mandatory Victims Restitutions Act, which mandates restitution in a criminal case where an identifiable victim has suffered a pecuniary loss. Under the Act, the restitution may include “necessary” expenses incurred during participation in the investigation or prosecution of the offense. Under Second Circuit authority, necessary other expenses may include attorneys’ fees, provided that the court finds by a preponderance of the evidence that the expenses were necessary and were incurred in connection with the investigation or prosecution of the offense, and that they were incurred by victims of the offense.

 

Goldman submitted 542 pages of its counsel’s billing records, relating to a range of related matters, not just Gupta’s criminal proceedings alone. Gupta had argued that the restitution, if any, should be limited to fees incurred in his prosecution. But Judge Rakoff interpreted the relief to which Goldman is entitled under the Act broadly. Judge Rakoff said that “this Court has no difficulty in concluding, by a preponderance of the evidence, that nearly all of the expenses Goldman Sachs here claims were the necessary, direct, and foreseeable result of the investigation and prosecution of Gupta’s offense.” 

 

Among other things, Rakoff included expenses incurred during Goldman Sachs’s internal investigation into Gupta’s conduct; the fees Goldman incurred to attend post-verdict proceedings in Gupta’s case; the fees the company incurred in the parallel SEC case against Gupta; and the fees the company incurred in connection with Rajaratnam’s criminal prosecution.

 

It is important to highlight the fact that in ordering Gupta to repay Goldman for the fees it incurred, Rakoff was interpreting and applying the Mandatory Victims Restitution Act. Rakoff’s order did not involve or relate to any interpretation or application of Gupta’s rights for advancement of indemnification of his attorney’s fees under Goldman’s by-laws or under applicable state law. I emphasize this fact because, following Gupta’s conviction, there has been discussion in the press of Goldman’s rights (if any) to seek recoupment from Gupta under applicable principles governing advancement or indemnification.

 

It remains an interesting question whether or not Goldman might have had the right (or would have had the right if Gupta’s conviction is affirmed) to seek to establish in a separate civil proceeding that it had a right of recoupment. But Goldman was not relying on its recoupment rights and Judge Rakoff did not order Gupta to pay Goldman in reliance upon principles of advancement or indemnification. Rather, he was applying the Mandatory Victims Restitution Act.

 

The fact that Rakoff was applying the Act is also important in connection with the question of what the ruling might mean in other cases. The ruling is only going to be relevant in other cases where a corporate official has been criminally convicted and where there is an identifiable victim that has suffered a pecuniary loss. Absent a conviction, there would be no grounds for restitution. A company seeking restitution of attorneys’ fees and other expenses would have to meet the Act’s other requirements as well. (It should be noted that Goldman is not the only company to have sought restitution of attorneys’ fees from a former official convicted of a criminal offense; as discussed here, Morgan Stanley is seeking in a separate proceeding to recover millions it paid to and on behalf of Joseph Skowron, a former hedge fund manager for the company who plead guilty to insider trading.)

 

Although it does not appear to have been relevant in Gupta’s case, it is interesting to consider what subrogation rights a D&O insurer might have under the Act in the event of a criminal conviction. To the extent that the attorneys’ fees had been paid by an insurer, the insurer might take the position that it is subrogated to any victims’ restitution rights to which the company is entitled under the Act. Whether the insurer would be as successful casting itself as the victim in that situation is an issue the carrier would have to address.

 

Today’s Classic Rock Note:  (Hat Tip to The Meta Picture.com)

 

I am sure many readers were disturbed as I was by the February 19, 2013 New York Times article reporting that a Chinese army unit apparently has been executing a concentrated cyber-hacking program targeting U.S. companies and critical U.S. infrastructure. (The report of consulting firm Mandiant that was the basis of the Times article can be found here.) This story is part of a rising tide of media reports about cybersecurity risks. Indeed, concerns about these kinds of activities led President Obama’s February 12, 2013 Executive Order entitled “Improving Critical Infrastructure Cybersecurity” (here).

 

Although the recent disclosures are quite troubling, it is not news that cybersecurity risks represent a significant concern for just about every company involved in the current economy. Prior posts on this site (for example, here) have detailed the liability exposures that these risks represent for all of these companies and for their directors and officers. But while these issues are not new, it really seems that as we have headed into 2013, the volume on these issues has been turned up.. It now seems clear that cybersecurity is going to be one of the hot button issues for the foreseeable future, both in the media and for the affected companies.

 

The heightened scrutiny of cybersecurity issues has a number of important implications for potentially affected companies, and not just from an operational standpoint. These developments also have important implications for public company’s public disclosure statements, and, as a consequence, for the company’s potential regulatory and litigation exposures.

 

Indeed, according to a February 21, 2013 memo from the King & Spalding law firm entitled “Cybersecurity: The New Big Wave in Securities Litigation?” (here), “it is likely that this issue will continue to gain momentum among both government regulators and opportunistic plaintiff lawyers seeking to catch the next wave of shareholder litigation.” In particular, the failure to promptly disclose a cyber breach “may put a company at risk of facing formal SEC investigations, shareholder class actions, or derivative lawsuits.”

 

As the memo notes, the SEC “has already taken a firm stand on cybersecurity disclosures, and clearly views this issue as ripe for enforcement actions.” In October 2011, the SEC’s Division of Corporate Finance issued “Disclosure Guidance” on cybersecurity related issues. Among other things, the Guidance clarified that the agency expects companies to disclose the risk of cyber incidents among their “risk factors” in their periodic filings and also expects companies to disclose material cybersecurity breaches in their Management Discussion and Analysis.

 

The law firm memo notes that so far, the SEC’s Guidance “seems to have had little impact on corporate disclosure,” and that in many instances companies experiencing cyber breaches are “choosing to keep those events confidential.” However, “given the increasing awareness of this hot issue,” it seems “likely” that the SEC “will increase pressure on companies to disclose such events.” The memo adds that “companies that have experienced significant cybersecurity breaches should prepare themselves for potential SEC investigations and lawsuits.”

 

In addition to the risk of SEC enforcement action, companies experiencing cyber breaches also face the possibility of a securities class action lawsuit. However, the memo notes, a company experiencing a cyber breach “will likely not be a target of a securities class action unless the disclosure of the breach can be linked to a statistically significant drop in the company’s share price.” In that respect, it is worth noting that several high profile companies announcing cyber breaches have not experienced a significant drop in their stock price following the announcement. (For example, recent announcements by Facebook, Apple and Microsoft that they have been the target of sophisticated cyber attacks did not affect the companies’ share prices.) Nevertheless, it seems likely that at least some companies experiencing cyber breaches or subject to cyber attacks will also suffer a drop in their share price, and “thus result in securities class action litigation.” 

 

Companies that do not experience a share price decline following a cybersecurity incident may not get hit with securities class action litigation, but they are still susceptible to derivative lawsuits alleging, for example, that company directors breached their fiduciary duties by failing to ensure adequate security measures. As the law firm memo notes, shareholder may claim that senior management and directors “were either aware of or should have been aware of the breach and the company’s susceptibility to hacking incidents.” Of course, any lawsuit of this type would face significant hurdles, including the requirement to make a formal demand on the board as well as the business judgment rule.

 

In any event, it is clear that cybersecurity issues are going to be an increasing source of scrutiny for companies and their senior officials. This heightened scrutiny not only means that companies will be under pressure to take steps to ensure that their networks and information are secure, but also means that the companies will face pressure both to “disclose the risks associated with potential cybersecurity breaches and provide timely updates when actual breaches occur.” Companies that fall short on these disclosure expectations “will face a substantial risk of regulatory scrutiny and shareholder litigation.”

 

As Rick Bortnick of the Cozen O’Connor firm discussed in a prior guest post on this site (here), cyber security disclosures have already been the source of securities class action litigation, in the high profile case involving Heartland Payment Systems. Although that case was dismissed, Bortnick points out how different the circumstances and disclosures involved in that case might look if viewed through the prism of the SEC”s 2011 Disclosure Guidance.

 

Among other implications from these developments is that cybersecurity disclosure seems likely to be the subject of greatly increased scrutiny, suggesting that this disclosure – particularly precautionary disclosure forewarning investors of the possible adverse effects the company could expect in the event of a serious cyber attack – should become a priority for reporting companies.

 

Finally, these developments and the possible regulatory and litigation implications underscore the fact that cybersecurity exposures represent an important issue to be addressed as part of every company’s corporate insurance program. Indeed, the SEC itself considered the question of insurance for cybersecurity exposures to represent such a critical issue that, in its Disclosure Guidance, it specifically identified the insurance issue as one of the topics companies should address in their disclosure of cybersecurity issues.

 

The insurance issues related to cybersecurity include not only the question of whether companies should acquire dedicated cyber and network security insurance, but also includes the question of the protection available to the companies’ senior officials under their management liability insurance policies. The rapidly evolving nature of these issues and the related liability exposures underscores the importance for all companies to have a knowledgeable and experienced insurance professional involved in the design and implementation of their corporate insurance program.

 

Readers interested in the President’s recent Executive Order and its potential implications will want to take a look at the February 2012 article written by Lockton’s Bill Boeck entitled “Cybersecurity Executive Order: What We Know and What We Don’t Know” (here).

 

Those who are interested in the implications of these developments for corporate directors will want to review the recent guest post on this site by D&O maven Dan Bailey entitled “Cyber Risks: New Focus for Directors” (here).

 

Classic Rock Notes::In its February 23, 2013 review of new autobiography of record industry executive Clive Davis, the Wall Street Journal describes a critical incident that led Davis to become one of the recording industry’s most successful rock music producers. In June 1967, Davis attended the Monterey Pop Music festival, where he heard Janis Joplin deliver a version of Big Mama Thornton’s “Ball and Chain.” Davis described the event as “not merely one of Janis’s greatest moments onstage, but one of the classic performances in rock history. It was simply overwhelming.” Joplin was, according to Davis, “hypnotic” and “mesmermizing.” Davis says he thought on seeing her performance, “This is a social and musical revolution.”

 

Davis wasn’t exaggerating. Even in the grainy Internet video, Joplin’s performance will give you goosebumps. Crank up the volume on your computer and enjoy (watch for the cutaway shot of Mama Cass Elliot regarding Joplin in slackjawed amazement).

 

The first wave of “say on pay” litigation involved lawsuits brought by shareholders following a negative advisory say on pay vote under the Dodd-Frank Act. The second wave of say on pay litigation, which picked up in 2012, involved plaintiffs’ efforts to enjoin upcoming shareholder votes on compensation or employee share plans on the grounds of inadequate or insufficient proxy disclosure.

 

Now there is a “third wave” of executive compensation litigation, according to a February 21, 2013 memo from the Pillsbury Winthrop Shaw Pittman law firm entitled “Proxy Season Brings a Third Wave of ‘Gotcha’ Shareholder Litigation” (here). In these third wave lawsuits, the plaintiffs allege that companies issued stock options or restricted stock units to executives in amounts that exceed the limits of the companies’ stock plans. According to the law firm memo, this latest litigation wave “has not crested yet.”

 

As the memo details, the first two waves of say on pay litigation has not been particularly successful for the plaintiffs. Indeed, the memo includes detailed appendices laying out how the cases have fared in the courts. Among other things, the statistics in the memo show that in most cases the companies targeted in the second wave cases successfully fought the plaintiffs’ efforts to obtain preliminary injunctions; according to the memo, “the plaintiffs’ bar was beaten in 80% of the motions for preliminary injunction.”

 

Faced with these setbacks, the plaintiffs bar “has turned to a new area of focus” and “is demonstrating its resourcefulness by brining a third wave of shareholder litigation.” The third wave, like the first two waves, concerns executive compensation.  However, the third wave lawsuits do not relate to the say on pay votes.

 

According to the memo, in the past two quarters, ten companies have been targeted by derivative shareholder litigation “alleging that those companies awarded executive compensation in violation of stock plans and thus filed purportedly false and misleading proxy statements.” While noting that it is far too early to tell how these cases ultimately will fare, or whether these derivative suits  will even survive motions to dismiss base on the insufficiency of the demand futility allegations,  the memo does note that “if the allegations are true, these suits stand a higher probability of success than the two prior litigation waves.” However, it is “too soon to tell if plaintiffs’ allegations based on reading the relevant plans and examining the awarded executive compensations are correct or based on erroneous analysis.”

 

The memo further notes that these third wave cases are “entirely preventable.” If the allegations are true that companies issued stock options to executives in excess of limits authorized by the relevant plans, then “those actions could have been prevented by complying with all limits established by the plans.” The memo suggests that “careful review of executive compensation plans by in-house and outside counsel and compensation consultants should ensure compliance with all governing plans.”

 

While I am sure readers of this blog will find the law firm memo interesting, I suspect readers will find the memo’s detailed appendices, laying out the filings tallies and disposition patterns of the three litigation wave, to be particularly helpful and interesting.

 

Special thanks to Sarah Good of the Pillsbury law firm for sending me a copy of the memo.

 

Worth Reading: One of the blogs that we follow is The D&O Discourse written by Douglas Greene of the Lane Powell law firm. Yesterday, Doug had a post that I thought would be of interest to readers of this blog, so I am linking to it here. In the post, Doug describes important securities and corporate governance cases that he will be watching in 2013, particularly the Allergan derivative case pending in the Delaware Supreme Court and the Amgen case pending in the U.S. Supreme Court. The post does a nice job laying out why he is watching these cases and why they may be important. He also has an interesting analysis of some unanticipated and arguably unintended consequences from the Supreme Court’s 2011 decision in the Matrixx Initiatives case.

 

And Finally: How did a Roman era brick with a cat’s paw print wind up at the Fort Vancouver historical site in Washington State? Good question, answered in a February 21, 2013 article in The Atlantic Monthly entitled "1 Kitty, 2 Empires: 2,000 Years in World History Told Through a Brick" (here).

 

I recently had a meeting with the board of a publicly traded company. Among the topics I knew that I would be asked to address at the board  meeting is the growing risk of cyber liability. In my preparation for the board meeting, I came across a recent article by D&O maven Dan Bailey, a partner in the Bailey Cavalieri law firm, entitled "Cyber Risks: New Focus for Directors" which talks about companies’ growing cyber liability exposures and directors’ roles as companies try to address these exposures. I found Dan’s article so helpful that I contacted him to see if he would be willing to publish the article on this site. I am pleased to report that Dan agreed to allow me to publish the article, which is reproduced below. 

 

I would like to thank Dan for his willingness to publish his article on this site. I welcome guest posts from responsible commentators on topic of relevance to this blog. Readers interested in publishing a guest post are encourage to contact me directly. Here is Dan’s article: 

 

Cyber risks have become a major potential loss exposure for most corporations. Although nonexistent just a few years ago, most companies today are vulnerable to a growing list of threats relating to technology misuse. Not surprisingly, as businesses have become more reliant on technology, the resulting risks have become far more complex and potentially harmful.

 

Threats from hackers, thieves, third-party contractors, competitors and employees, as well as inadvertent misuse or loss of data, present potentially catastrophic financial and reputational risks to companies today. Even the most vigilant company can be a victim of a data breach or other cyber loss. Class action lawsuits, huge forensic and mitigation costs, notification and credit monitoring services and data restoration efforts can result in tens or even hundreds of millions of dollars of loss to a company. State attorneys general, federal and state regulators and plaintiff lawyers are all likely and formidable adversaries to the company if something goes wrong. In addition, the company’s computer systems may need to be shut down and business operations may be interrupted.

 

Like any other major risk exposure, directors should monitor the company’s cyber risks and confirm that reasonable steps are being taken to identify, prevent, mitigate and respond to cyber-related problems when they arise. Because these risks can damage not only the company but its customers, suppliers, other constituents and even the public, extra caution is necessary. Plus, new federal and state statutes and regulations are being adopted with increasing frequency which mandate appropriate company risk management practices in this area.

 

Directors are not expected to fully understand all of the risks, and all of the company’s risk management responses, in this highly technical area. However, directors should at a minimum comply with laws expressly applicable to them, should ask informed questions to gauge the company’s focus and preparedness in this area, and should generally understand the extent to which the company is insured—or not insured—for these exposures. The following discussion summarizes (i) new guidance from the SEC relating to cybersecurity risk disclosures, (ii) a sweeping new FTC rule relating to identity theft protection programs which requires board of director action, (iii) various questions a reasonably diligent director could ask to assure the company’s cyber risks are being properly addressed, and (iv) the types of insurance policies now available which cover—and do not cover—cyber risks.

 

A.      SEC Disclosure Guidance

On October 13, 2011, the SEC’s Division of Corporation Finance released “CF Disclosure Guidance: Topic No. 2 – Cybersecurity.” That “Guidance” summarizes the SEC’s views regarding a company’s disclosure obligations relating to cybersecurity risks and incidents. It does not change existing disclosure law, but merely explains the SEC’s interpretation of that existing law to the evolving topic of cybersecurity.

 

The Guidance defines “cybersecurity” as “the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.” The Guidance recognizes that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, but that “a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” The Guidance also notes that material information regarding cybersecurity risks and cyber incidents “is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” The Guidance then highlights the following specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents:

 

  • Risk Factors.Consistent with the Regulation S-K Item 503(c), cybersecurity risk disclosures must adequately describe the nature of the material risks and specify how each risk affects the registrant. The Guidance specifically mentions that to the extent material, appropriate disclosures may include a description of relevant insurance coverage.
  • MD&A. Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect. 
  • Description of Business. If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in this section.
  • Legal Proceedings. If a material pending legal proceeding involves a cyber incident, the registrant may need to disclose information regarding such litigation in this section.
  • Financial Statements. The Guidance reviews a number of situations in which cybersecurity risks and cyber incidents could impact a company’s financial statement disclosures, including disclosures regarding accounting treatment, depending on the nature and severity of the actual or potential incident.
  • Disclosure Controls and Procedures. Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures.

 

The Guidance is not a new disclosure rule and should not be viewed as creating additional disclosure obligations, or expanding a public company’s existing disclosure obligations, regarding cybersecurity. However, in any shareholder litigation arising from a cyber incident, plaintiffs will undoubtedly challenge the disclosures based on this new Guidance.

 

The intent and focus of these new Guidelines is to provide better clarity to public companies with respect to what disclosures are required by existing laws and regulations with respect to cyber risks and incidents. Obviously, the SEC wants shareholders to be informed about what harm has or could occur to the company with respect to cyber matters. In making those disclosures, the SEC recognizes that a company may need to disclosure what relevant insurance coverage the company maintains in order to put the risk disclosures into proper context (i.e. the existence and disclosure of insurance will tend to offset some of the potential harm to the company arising from the cyber risks being disclosed).

 

This new SEC Guidance, by itself, should not materially impact a company’s insurance purchasing decision.  Like other areas of risk management, the ultimate question is whether a company believes it is prudent to transfer some of its cyber risk via an insurance product.  That is a classic business decision that typically is protected from judicial second-guessing via the business judgment rule.  The SEC is not now suggesting that companies should or should not purchase cyber insurance, but is merely stating that in order to present a full picture of a company’s “net” cyber exposure, a description of any relevant insurance coverage may need to be included in the company’s cyber disclosures.

 

Companies are struggling with how to respond to this new SEC guidance since cyber risks and cyber incidents are so difficult to predict, evaluate, quantify and describe.  However, it is clear that there will be more cyber-related disclosures in the future than has occurred in the past.  Because of that, companies may want to mitigate shareholder concerns arising from those additional cyber disclosures by purchasing and disclosing the existence of cyber insurance.  Although disclosing insurance information in some contexts is not desirable because it may serve as a lightning rod for claims against the Insureds, that risk here should be minimal since most of the loss covered by a cyber policy would very likely be incurred with or without the policy existing and being known by third parties (i.e., the disclosure of a company’s cyber insurance should not attract claims that would not otherwise be filed as a result of a covered cyber incident).

 

B.                 FTC “Red Flags Rule”

Effective December 31, 2010, the so-called FTC “Red Flags Rule” (16 CFR 681) requires a wide variety of companies to adopt Identity Theft Protection Programs that identify warning signals which should alert a company to the risk of identity theft, and that detect, mitigate and deal with identity thefts when they occur. Importantly, the new Rule states that the Identity Theft Protection Program must be approved by the company’s board of directors or an appropriate committee designated by the board.

 

This new Rule applies to financial institutions and “creditors” with “covered accounts.” A “creditor” is broadly defined to mean “any person who regularly extends, renews or continues credit.” This definition appears to cover a wide variety of entities (including public utilities) that extend credit or give credit terms, such as permitting payment at the end of the month for goods or services rendered throughout the month. As a result, any company that permits deferred payments appears to be a “creditor” under this new FTC Rule. For example, if the company issues a bill and receives payment subsequent to the provision of the goods or services, that company probably is a “creditor” under this Rule. A “covered account” is likewise defined very broadly in the Rule to include an account offered primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions. A “covered account” also includes any business account if identity theft with respect to that account presents a reasonably foreseeable risk to consumers or to the safety and soundness of the company.

 

Under the Rule, larger and higher-risk entities must have a more comprehensive Identity Theft Protection Program than smaller or lower-risk entities. These Programs must include the establishment, testing and deployment of an effective program to identify and act upon “red flags” which alert the company to identity theft or the potential for identity theft. Merely adopting a program without proactive enforcement and oversight does not satisfy the Rule. Directors should carefully review the Identity Theft Protection Program recommended by management and should, before approving that Program, assure themselves that the Program is reasonably robust, sufficiently tailored to the unique circumstances of the company, is properly funded and staffed, and will be periodically reviewed by senior management and the board for effectiveness.

 

C.                 Cyber Risk Questions for Directors

For many companies, cyber risks represent one of the most volatile and potentially damaging exposures to the company. However, because these risks are so new, evolving and complex, many boards have given little if any attention to these risks. Although each company faces unique cyber risks and therefore each company’s response to these risks should be unique, the following summarizes 10 important questions which directors could ask in order to better understand these risks and whether the company is adequately responding to these risks.

 

  1. Is the responsibility and accountability for the creation, implementation, enforcement and updating of an integrated and company-wide cyber risk management program clearly defined at the executive level?
  2. Does the management team which addresses cyber risks include senior representatives from executive management, IT, legal, risk management, public relations and compliance/audit?
  3. Is the overall cyber risk management program periodically reviewed by the board?
  4. Does a board committee have designated oversight responsibility for the cyber risk management program?
  5. What are the company’s greatest cyber risks and how are those risks being anticipated, managed and mitigated?
  6. Is each component of the cyber risk management program documented, frequently tested and periodically audited by independent experts, and what are the results of that testing and audit?
  7. Are protocols for reacting to a cyber risk crisis when it occurs well defined and broadly understood?
  8. Are all employees required to participate in regular education and training programs relating to cyber risks?
  9. What is the company’s budget and staffing for cyber risk management and how does that compare with peer companies?
  10. What, if any, insurance coverage does the company maintain for cyber risks and is that coverage adequate in scope and amount?

 

D.                 Insurance Coverage

Directors should understand the extent to which the company is insured or uninsured for potentially severe cyber-related losses. Like other large risk exposures, quality insurance coverage with adequate limits of liability can greatly mitigate the ultimate impact of a cyber loss to the company’s financial health. In addition, many companies contractually require their vendors to maintain network security insurance which covers the vendor’s liability to the contracting company for accidental or criminal losses caused by the vendor. As a result, a company’s cyber insurance coverage should reflect both the company’s risk management philosophies and contractual obligations.

 

Traditional insurance policies maintained by a company typically provide very little, if any, coverage for many types of cyber risk. Standard commercial general liability (“CGL”) policies usually only cover damage to “tangible property” and therefore would not respond to loss or injury to intangible property. Although some limited coverage may exist under these policies for “personal injury” or “advertising injury,” many recent CGL policies (including the newest standard ISO general liability policy form) specifically exclude various types of cyber risk.

 

Likewise, a company’s crime or fidelity policy may have limited applicability depending upon the nature of the cyber-related loss. But, if the cyber risk results in a claim against directors and officers, the company’s D&O insurance policy likely will respond because those policies generally afford “all risk” coverage, subject to several exclusions. The most likely exclusion in a standard D&O policy which potentially could apply to a cyber claim is the property damage exclusion. However, like the scope of coverage under the CGL policy, the scope of this exclusion in the D&O policy is usually limited to damage to “tangible” property, so the exclusion should be inapplicable to most cyber claims.

 

To address these likely gaps in insurance coverage for the company, many insurance companies now offer various types of insurance policies specifically designed to cover cyber risks. These policies frequently cover both third party claims against the insureds, and first party losses incurred by the insureds, relating to a wide variety of cyber risks. These policies vary greatly among insurers and are still evolving. Because the types of cyber risks are constantly changing and because the policy language in these new types of policies is still largely untested, the exact contours of these newer policies are still being refined.

 

The third party coverage contained within these cyber policies usually applies to defense costs, settlements, judgments and other loss incurred in claims against the insureds by customers or other third parties if the alleged loss results from a broad range of wrongdoing by the company in connection with computer system, internet or other information-related matters, including breach of privacy due to theft, loss or misuse of data (including credit card, financial or health-related data); conduct which causes network systems to be unavailable to third parties or susceptible to computer virus or other third party attacks; or libel, slander, defamation, plagiarism, copyright or trademark infringement or other injuries resulting from “media” activities.

 

Examples of first party coverages in cyber policies include business interruption coverage for loss of business income as a result of an attack on the company’s network; cyber extortion coverage; public relations coverage associated with restoring public confidence following a cyber incident; cyber terrorism coverage; identity theft coverage for misuse or loss of confidential or private information; data restoration coverage; and coverage for notifying affected parties, providing credit monitoring services, incurring forensic costs to determine how the breach occurred, and restoring damaged hardware or software.

 

Cyber risk policies can be tailored to fit the unique exposures and needs of a particular company. Once a company identifies its most troubling cyber risk exposures, the company should work with an experienced cyber insurance broker to define and negotiate the desired coverage features and the appropriate insurance markets for that coverage. Like other types of negotiable insurance products, knowing what to ask for is extremely important to getting what you need.

 

The pace of bank closures has slowed to a trickle. There have only been three bank failures so far in 2013 (including one this past Friday evening, involving the Covenant Bank of Chicago, Illinois). But while bank failures have dwindled, the number of failed bank lawsuit filings has surged. On February 15, 2013, the FDIC updated its website to reflect a cluster of new failed bank lawsuit filings as well as an increased number of lawsuit authorizations. With the latest lawsuit authorizations, the FDIC is now approaching an authorized level of lawsuit filings comparable to the lawsuit filing level during the S&L Crisis.

 

With the three bank closures this year, there have now been a total of 471 bank failures since January 1, 2007. The FDIC’s latest litigation update shows that  during the current wave of bank failures the agency has now filed 51 lawsuits against the former directors and officers of 50 failed banks, meaning that the FDIC has already filed lawsuits in connection with just under 11% of all bank failures. But, as reflected in the updated information on the FDIC’s website, the agency has also authorized more lawsuits. The number of authorized lawsuits has continued to increase each month, as well.

 

As of February 15, 2013, the FDIC has authorized suits in connection with 102 failed institutions against 836 individuals for D&O liability. This includes the 51 filed lawsuits naming 396 former directors and officers at 50 institutions. In other words, there could be as many as 52 as-yet-to-be-filed lawsuits based just on the authorizations to date. Some of these authorized lawsuits may not ultimately be filed, as pre-litigation negotiations sometimes results in settlements that avert the need for a lawsuit to be filed. But were the FDIC to file lawsuit in connection with as many as 102 failed institutions, that would mean that the FDIC would have initiated lawsuits in connection with nearly 22% of all bank failures, a percentage that would approach the 24% rate during the S&L crisis. To the extent the agency authorizes even more lawsuits in coming months, the litigation rate could meet or even exceed the S&L crisis litigation rate.

 

The updated information on the FDIC’s website includes information relating to four additional filed bank lawsuits that I had not previously tracked. With the addition of these four latest suits, the FDIC has now filed a total of seven failed bank lawsuits so far in 2013, after having filed 26 during 2012. I briefly discuss each of the four latest lawsuits below. One interesting note about these four new suits is that none of them involve failed Georgia banks. As I have previously noted on this blog (most recently here, see second item), the failed bank lawsuits had been disproportionately concentrated in Georgia. These latest filings, none of which involve Georgia banks, might suggest that this imbalance may start to level out.

 

Here is brief description of the four latest failed bank lawsuit filings.

 

First, on January 18, 2013, the FDIC in its capacity as receiver for the failed Columbia River Bank of The Dalles, Oregon filed an action in the District of Oregon against seven former officer and three former directors of the bank. The bank failed on January 22, 2010, so the FDIC filed the suit just ahead of the third year anniversary of the bank’s closure. The FDIC’s complaint (a copy of which can be found here) asserts claims against the former directors and officers for gross negligence, negligence and breach of fiduciary duties. The complaint alleges that the defendants “took unreasonable risks with the Bank’s loan portfolio, allowed irresponsible and unsustainable rapid asset growth concentrated in high-risk and speculative” loans, “disregarded regulator warnings,” and violated the Bank’s loan policies and procedures. The defendants allegedly caused damages to the bank of no less than $39 million.

 

Interestingly, though the Columbia River Bank was not closed until January 2010, all but one of the specific loans cited in the complaint were originated in 2006 and 2007 (the one exception was originated in early 2008). As time goes by, the loan originations cited in the FDIC’s complaint start to seem more and more like ancient history.

 

Second, on January 29, 2013, the FDIC filed an action in the Middle District of Florida in its capacity as receiver for the failed Orion Bank of Naples, Florida. The FDIC’s complaint can be found here. The FDIC’s complaint seeks to recover damages of in excess of $58 million. The lineup of defendants is interesting, as the four individuals named as defendants are all former directors; none of the bank’s former officers are named as defendants.

 

The complaint, which asserts claims for gross negligence and breach of fiduciary duties, alleges that the bank “collapsed under the weight of the unsustainable growth strategy that the Defendants permitted Chief Executive Officer Jerry Williams to pursue.” Williams, the former CEO, is not named as a defendant in the case. The complaint alleges that as Williams pursued his “reckless growth strategy” he was “unrestrained” by the defendants who engaged in a “pattern of unconsidered acquiescence.” The Defendants are alleged to have approved loans “without meaningful deliberation or discussion.” The complaint alleges that the director defendants even continued to “ignore” their duties even after the bank had entered an August 25, 2008 written agreement with the federal banking authorities that was specifically concerned with the directors’ oversight responsibilities. 

 

The Orion Bank failed on November 13, 2009, which suggests that the parties may have entered some sort of a tolling agreement. The naming of only four former directors as defendants, and the absence of any officer defendants, is not explained in the complaint. One possibility is that as a result of negotiations while the tolling agreement was in place resulted in settlements on behalf of the former officers (this, I should add is sheer speculation on my part).

 

Third, on January 31, 2013, the FDIC in its capacity as receiver of the failed Security Savings Bank of Henderson, Nevada, filed an action in the District of Nevada against three former director and officers of the bank. The FDIC’s complaint (a copy of which can be found here) seeks to recover damages in excess of $13.1 million from the three defendants who allegedly “underwrote, recommended and/or voted to approve at least seven high-risk commercial real estate and acquisition and development and construction loans in violation of the Bank’s lending policies and clear principles of safety and soundness.”

 

The bank was closed and the FDIC appointed as receiver on February 27, 2009, which suggests that the parties had entered some sort of tolling agreement. The three defendants had resigned before the bank failed; two of them, the former CEO and the former Chief Credit Officer, had resigned in September 2008, and the third had resigned all the way back in December 2006. The three individual defendants have long since scattered, with two now living in Texas and a third living in Virginia. All of the specific loans mentioned in the FDIC’s complaint were originated in 2005 and 2006, which really does seem like ancient history.

 

Fourth, on February 13, 2013, the FDIC, in its capacity as receiver of the failed LaJolla Bank of LaJolla, California filed an action in the Southern District of California against two former officers of the bank and against the bank’s former board Chairman. The complaint (here) asserts claims for negligence, gross negligence and breach of fiduciary duty and seeks to recover damages in excess of $57 million. The complaint alleges that the defendants violated the bank’s loan policy and “safe and sound lending practices” by “recommending or approving speculative commercial real estate loans despite known adverse economic conditions,” as well as recommending or approving loans to borrowers who were not creditworthy, or without requiring sufficient underwriting and without sufficient information.

 

Regulators closed the LaJolla Bank on February 19, 2010, so the FDIC filed its complaint just prior to the third anniversary of the bank’s closure. The specific loans referenced in the complaint were originated between March 2007 and March 2009.

 

Reading these four complaints in quick succession was an interesting experience. Though there are noteworthy variations between the complaints (for example, with the Orion Bank complaint, which names only director defendants), there is also a certain sameness to the complaints, as well – so much so that some of the allegations and even phraseology seem to be lifted verbatim from other complaints. It is, after all, a familiar story. The banks grew quickly during a period of rapid economic expansion and then were slow to recognize the seriousness of the downturn. In the aftermath, it appears that many of the loans extended during the go-go days had not always been made with full procedural compliance. It does beg the question whether the losses were the result of the failure to follow procedures or of the suddenness and severity of the downturn.

 

Another unmistakable impression from reading these complaints in quick succession is that as time goes by, the events on which the FDIC is going to be trying to base its current and any future lawsuits are receding further and further into the past. As noted above with respect to the Security Saving Bank complaint, the defendants are scattering. As time goes by, the FDIC’s burden is going to become increasingly archeological.

 

This Just In From Our Istanbul Bureau — D&O Liability and Insurance in Turkey: As is the case in many countries, the use of D&O insurance is still relatively new in Turkey. However, as discussed in an interesting January 29, 2013 article by Naşe Taşdemir Önder and Pelin Baysal of the Mehmet Gün & Partners law firm entitled “Turkey: Directors’ and Officers’ Liability Insurance in View of the New Turkey Commercial Code” (here), new standards on corporate governance incorporated into the new Turkish Commercial Code are “expected” to “lead to increase in demand for D&O policies.”

 

According to the authors, the new Code introduces new requirements for “universal accounting and auditing standards and rules for increased transparency” which the authors expect will support the “operability” of “liability provisions.” According to the authors, the Code introduces a “heavier level of duty of care” for directors and officers. Among other things, the new Code provisions introduce certain specific types of liability provisions, including in particular liability for misrepresentations in documents and declaration and misrepresentations on capital subscription. The Code introduces many other new provisions, including new provisions allowing for claims by shareholders for losses incurred by the company.

 

With respect to insurance, the new Code specifies that third party liability insurance will be consider “occurrence based” unless otherwise indicated in the policy. The new Code also prohibits coverage for losses arising as a result of willful acts. The author’s very thorough examination of the new Code’s insurance-related provisions detail the many other specific insurance issues that the new Code addresses.

 

For anyone interested in the D&O liability and D&O insurance issues in Turkey, the authors’ memo is a valuable resource.

 

And Now, From Our Singapore Bureau: Regular readers of this blog may recall my post about my April 2012 visit to Singapore, which I found to be an interesting and impressive place. But Singapore’s transformation into a gleaming metropolis is relatively recent. As shown in this photo montage from Business Insider, Singapore had to become what it is today and relatively recently it was a very different place. I found these photographs, and the history they embody, to be fascinating.

 

And Finally: Kalefa Sanneh’s excellent and interesting article in the February 11 & 18 issue of The New Yorker entitled “Sprit Guide” (here), about whisky distiller Bruichladdich, contains the following sentence, written with reference to the whisky sampling  techniques of the whisky maker’s master distiller, Jim McEwan: “It’s a simple process, but consumers hoping to reproduce McEwan’s results at home will find, no doubt, that some variant of the uncertainty principle applies: the more research you conduct, the less reliable your data become.” I tip my hat to the article’s author; the sentence has its own humor, in that conducting whisky research undoubtedly involves certain limits owing to the properties of the subject matter.  But it is the sly side reference to Heisenberg’s uncertainty principle that I admire.

 

Though I could never hope to write with such sophisticated humor, I can certainly admire the writing, including also the following sentence from the same article:  “The first part of the distillate, known as the foreshot, contains methanol, which can be toxic in large quantities – although the same could be said of whisky.” (Side note: In Scotland, there’s no “e” in whisky.)

 

In what may be the largest settlement ever in securities class action litigation involving a pharmaceutical company, Merck has agreed to a combined settlement of $688 million to settle two related securities class action cases. The company’s February 14, 2013 press release announcing the settlements can be found here.

 

The lawsuits relate to alleged representations concerning the anti-cholesterol drug Vytorin. The drug was marketed through a joint venture between Merck and Schering-Plough. The shareholder claimants allege that the companies and certain of their directors and officers withheld information relating to poor clinical trial results while continuing to promote the drug’s benefits.

 

 

According to the company’s press release, the company will pay $215 million to resolve the claims against the Merck defendants and $473 million to resolve the claims against the Schering-Plough defendants. The company also announced that it would take a pre-tax and after-tax charge of $493 million, which the company indicated "reflects anticipated insurance recoveries." (Although it is not entirely clear, the company statement about the charge suggests that the company "anticipate" insurance recoveries of $195 million, possibly under the insurance programs of the two companies).The settlements are subject to court approval.

 

 

According to Victor Li’s February 14, 2013 Am Law Litigation Daily article (here), the cases settled three weeks before they were set to go to trial. The article also quotes the lead plaintiffs’ lawyers as saying that the settlement is the largest ever involving a securities class action lawsuit against a pharmaceutical company; is among the top ten settlements in a securities class action that didn’t involve a restatement; and is among the 25 largest securities settlements of any kind.

 

 

Facebook IPO Derivative Suits Dismissed: In a February 13, 2013 opinion (here), Southern District of New York Robert Sweet granted without prejudice the defendants’ motion to dismiss the Facebook IPO shareholders’ derivative suits that had been multidistricted before him. The ruling not only represents a win for the defendants in the derivative suits, but it could also prove helpful in the parallel securities class action litigation. In addition, parts of the opinion may also be helpful in other state court IPO cases and may even prove helpful for defendants attempting to address the multi-jurisdiction litigation problem in the M&A litigation context.

 

As Alison Frankel discusses in a February 14, 2012 post on her On the Case blog (here), Judge Sweet’s ruling contains strong language dismissing plaintiffs’ claims based on Facebook’s alleged failure to disclose internal projections, noting that "courts throughout the country" have "uniformly agreed" that the internal calculations are not material. He added that "an opposite ruling would have changed at least two decades of IPO practice."

 

Judge Sweet also (as Frankel puts it) "implicitly endorsed" the use of forum selection clauses in certificates of incorporation, though he denied Facebook’s motion to dismiss on forum selection grounds. According to the defense lawyers Frankel quotes in her post, the judge’s analysis of the issue, though clearly dicta, represents a "significant" development in a relatively undeveloped area of the law.

 

Judge Sweet also held that shareholders who purchased their shares in the IPO do not have standing to complain about pre-IPO conduct. Derivative plaintiffs must be able to show that they owned their shares at the time of the conduct they are complaining about. Because they did not own their shares at the time of the pre-IPO conduct that is the basis of their claims, they lack standing to assert claims based on that conduct.

 

Finally, Judge Sweet held that federal judges have discretion to consider threshold issues such as standing and forum selection clauses even before they determine whether they have jurisdiction over the derivative suits. It is this latter holding that Frankel suggests may be most helpful to defendants litigating multi-jurisdiction M&A litigation, because the defendants could remove the state court cases to federal court and before the case can be remanded the federal court might be able to rule on the threshold issues.
 

Securities class action filings in Canada were down in 2012 compared to 2011’s record number of filings and compared to recent annual averages, according to a February 13, 2013 report from NERA Economic Consulting. The report, which is entitled “Trends in Canadian Securities Class Actions: 2012 Update,” can be found here. NERA’s press release summarizing the report’s findings can be found here.

 

According to the report, there were nine securities class actions filed in Canada in 2012, down from the “all time high” of 15 new cases filed in 2011, and below the annual average of 12 new cases filed per year since 2008. Eight of the nine 2012 cases were filed under the secondary market civil liability provisions of the provincial securities actions (so-called “Bill 198” cases).

 

The downturn in the number of new securities class action lawsuit filings in Canadian securities class action may be due in part to the abatement of a couple of filing trends that drove filings prior to 2012. In recent years, filing levels had been increased due to credit crisis related filings and due to the surge in cases against Chinese domiciled companies. There were no new case filings in Canada in 2012 related to either of these trends.

 

Eight of the nine cases involved companies with shares traded on the Toronto stock exchange. The ninth case involves Facebook, which does not have shares listed on a Canadian exchange. (As discussed here, there is recent Canadian authority allowing cases against companies whose shares traded exclusively on foreign exchanges to go forward in Canadian courts.)  Six of the nine new Canadian securities class action cases had parallel U.S. filings

 

In addition to these new filings in Canadian courts, there were six U.S. class action filings in 2012 involving Canadian-domiciled companies. Two of these six also involved parallel Canadian securities class actions, but four of the six involved companies for which there is no parallel Canadian class action.

 

Two-thirds of the 2012 securities class action filings in Canada were brought against companies in the mining or oil and gas sectors.

 

The most significant securities class action settlement in Canada is E&Y’s $117 million settlement in the Sino-Forest case, which, the report notes, if approved would represent “the largest settlement of a Bill 198 case to date.” There have only been two prior audit firm defendant settlements of Bill 198 cases, both of which involved the auditors’ agreement to pay $500,000 to settle the claims.

 

The report notes with respect to the twelve Bill 198 cases that have settled to date (excluding partial settlements, which would remove the E&Y/Sino Forest settlement from the calculation) that the average settlement amount is $10.5 million and the median settlement is $9.3 million. The average settlement as a percentage of compensatory damages claimed is 12.6% and the median is 8.9%. The average settlement of the four Bill 198 cases that had parallel U.S. claims is $16.9 million and the median is $17.2 million. The average of the settlements in the eight domestic-only cases is $7.4 million and the median is $5.4 million.

 

With new filings, settlements and dismissals during 2012, there are now a total of 51 active Canadian securities class actions, four more than at the end of 2011 and nearly double the number of active cases four years ago. All but nine of the cases still active as of the end of 2012 were filed after 2007. The combined impact of the growing number of open claims and case law developments suggest that “we may see more settlements during 2013 than we saw in 2012.”

 

For discussion of a recent law firm memo asking whether class action lawsuits in Canada had “reached maturity,” refer here.

 

Litigation related to M&A activity continued at an “extremely high rate” in 2012, according to the latest research update from Ohio State law professor Steven Davidoff and Notre Dame business professor Matthew Cain. According to the professors’ analysis, presented in their February 1, 2013 paper entitled “Takeover Litigation in 2012” (here), 91.7% of all merger transactions that met the professors’ criteria attracted at least one lawsuit, compared to 91.4% in 2011.

 

The professors’ paper is the latest update on their research originally presented in their January 2012 article entitled “A Great Game: The Dynamics of State Competition and Litigation” (here), which I reviewed here. Following the original article’s publication, the professors updated their research with additional litigation data regarding M&A transactions that took place in 2011. Their latest paper updates their research with regard to 2012 transactions.

 

The professors have limited their analysis to merger transactions over $100 million involving publicly traded target companies with an offering price of at least $5 per share. The 2012 update includes only transactions there were completed as of January 2013. The professors intend to update their 2012 data in six months to incorporate information relating to the in process transactions.

 

It is probably worth noting that there were fewer deals that met the professors’ sorting criteria in 2012. There were only 84 deals with the defined characteristics in 2012, compared to 128 in 2011 (representing a year over year drop of 34%). But the percentage of deals attracting at least one lawsuit remained virtually unchanged, with 91.7% of deals attracting at least one suit, compared to 91.4%. The professors believe based on anecdotal evidence, that when they update their 2012 “the ultimate litigation rate will match or exceed the 91.7% figure.” Though the litigation rate is virtually unchanged from 2011, the 2012 rate is “almost 2.5% that of 2005,” when the litigation rate was only 39.3%.

 

The number of complaints brought per transaction remained at about 5.0 lawsuits per transaction, the same rate as in 2011 but more than double the mean number of lawsuits in 2005, when the figure was 2.2/ Multi-jurisdiction litigation “remained similar in 2012 with 50.6% of transactions with litigation experiencing litigation in multiple states,” compared to 53% in 2011.

 

87.5% of all 2012 cases that had settled involved “disclosure only” settlements, compared to 79.5% in 2011. The average attorneys’ fees were down substantially in 2012, but that may be driven by a few larger settlements in 2011. The median attorneys’ fee award was about the same both years — $580,000 in 2011, $595,000 in 2012.

 

Delaware attracted a slightly reduced share of M&A litigation in 2012. The state attracted 46.7% of all litigation that could have been filed in there in 2012, compared with 52.8% in 2011. Delaware “also appears to be dismissing fewer cases, thus allowing more cases to be settled” – 76.9% of Delaware cases settled in 2012, compared with 61.5% in 2008. The authors note, referencing their original paper, that “when Delaware loses cases to other jurisdictions it historically has dismissed fewer cases and allowed more to settle, consistent with conduct designed to reattract litigation.”

 

Discussion

Because of the authors’ sorting criteria, their analysis and conclusion are most relevant to the larger transactions. However, based on my own observations, the authors’ conclusions are consistent even with respect to the smaller deals that do not meet their sorting criteria. The explosion of M&A-related litigation in recent years has not been limited just to the larger companies and transactions.

 

The surge in M&A related litigation in recent years has been one of the principal justifications the D&O insurance carriers have given as an explanation for their efforts to try to increase the insurance rates, particularly with respect to the rates for primary D&O insurance. In addition, the upsurge in M&A-related litigation has also affected the terms and conditions that the carriers are willing to offer. In particular, some carriers have been insisting on adding a separate, larger retention for M&A-related claims. The professors’ updated M&A-related litigation date seems to suggest that the carriers will try to continue to push rate and to try to include separate M&A-related claim retentions.

 

As I detailed in a prior post (here), the defense expenses and settlement amounts associated with M&A-related litigation represent a serious problem, for the companies involved and for their insurers. The prevalence of the multi-jurisdiction litigation is a particularly vexing problem, as the proliferating lawsuits are expensive to defend and difficult to resolve.  Unfortunately, based on the professor’s updated research, all signs are that these phenomena will remain a significant part of the corporate and securities litigation landscape for the foreseeable future.

 

Special thanks to Professor Davidoff for providing me with a copy of his latest paper.

 

Chinese Reverse Merger Cases: Is There a “China Discount”?: During 2010 and 2011, and to a lesser extent during 2012, the plaintiffs’ securities lawyers rushed to file securities class action lawsuits against Chinese companies that had obtained a U.S. listing through a reverse merger. But while these cases flooded the courts, they have not proven to be a huge bonanza for the plaintiffs’ lawyers or their clients. As I noted in a prior post, the settlement so far have been rather modest.

 

Michael Goldhaber’s February 12, 2012 Am Law Litigation Daily article entitle “Whither Chinese Reverse Merger Litigation?” (here) suggests that there may be a “China discount” in the Chinese reverse merger cases. The article quotes a defense attorney with the Sherman & Sterling law firm as saying that there is now a “critical mass of settlements between $2 million and $3 million” and that these lower settlements “may exert a gravitational pull on other settlements down the road.” The article notes that “the remarkable uniformity of the settlements suggests that $5 million D&O insurance policies are standard for this niche,” adding that a policy of that amount allows enough for defense fees and a settlement compromise with in the policy limit.

 

The two arguable exceptions to these generalizations both involve proceedings outside the U.S. The first is the $77.5 million Hong Kong arbitration award that C.V. Starr obtained against the founding shareholders of China MediaExpress Holdings (about which refer here) and E&Y’s $118 million December 2012 settlement of a Canadian class action arising out of its audit of Sino-Forest Corporation (refer here). Though these two exceptions each have their own distinct characteristics, these developments may hearten the claimants in the other cases and give them the incentive to continue to try to press on. The evidence so far, however, suggests the greater likelihood of the more modest settlements that have tended to become the norm.

 

A particularly interesting feature of the Am Law Litigation Daily article is a link to Sherman & Sterling document provided a comprehensive status summary of more than 75 disputes in U.S. forums relating to allegations of securities violations by Chinese parties, including more than 50 reverse merger companies. The summary document can be found here.